SANS 2022 SOC Survey: A Look Inside

Splunk recently sponsored the annual SANS 2022 SOC Survey. In the survey of 519 respondents a range of industries, organizational sizes, geographies and roles were represented to explore “the ongoing development and progress of the security operations center (SOC).” In the following post, I’ll share the key highlights based on the report’s main sections of People, Capabilities, and Technology and I also encourage you to give it a read for yourself by clicking the following link. 

Note: If you are interested in downloading the full SANS survey dataset, you can find it here



The SOC’s human element is by far the greatest challenge

When 235 respondents responded to the question: “What is the greatest challenge (barrier) with regard to full utilization of your SOC capabilities by the entire organization?” the top answer is high staffing requirements. This is followed by a lack of skilled staff and in third place is a lack of automation and orchestration. As someone who thinks about SOAR all day, I must point out that if SOAR is implemented it would help address the first two challenges, but I digress. 


Addressing high SOC employee turnover

When 236 respondents are asked the question: “What is the average employment duration for an employee in your SOC environment (how quickly does staff turn over)?” 70% of responses are less than five years with 1-3 years being the most common response (36%). With such a low duration of employment in the SOC, the subsequent question is, “What is the most effective method you have found to retain employees?” The top answer is to provide staff with clear career progression followed by paying them well. The cost of hiring new staff exceeds the costs of training and developing existing staff. 


Welcome to the era of the Remote SOC

When 371 respondents were asked, “do you allow SOC staff analysts to work remotely?” 296 (80%) responded yes. The survey authors dive into the factors around this difficult decision, because it is not easy to weigh those risks. When asked, “What factors are considered in determining whether a SOC staff analyst can work remotely?” the majority (62%) answered that their leading consideration is if the platform securely supports a remote workforce. This was followed by their employee skill sets being capable enough to handle remote work.   



Does Your Team Even Count as a “SOC”?

Is your security team really a “SOC”? Let’s look at what others say. The leading responses when asked what capabilities they have within their SOC are detection/monitoring (98%), vulnerability assessments (97%), incident response (97%), and alert triage and escalation (97%). So if your team is performing any of these key areas, then you are in the overwhelming majority if you call yourself a SOC.

To outsource or not to outsource - that is the question

These are the top three most commonly outsourced SOC capabilities: Pen-testing (39%), Red-teaming (36%), and Purple-teaming (30%). When in-house and outsourced capabilities are combined, then threat intelligence (attribution), threat intelligence (feed consumption), and threat intelligence (production) are next on the list. 



Technology deployment is a good indicator of SOC maturity

I read an interesting definition the other day that “technology is defined as the application of scientific knowledge.” In cybersecurity, these applications are given unique titles, usually acronyms that the authors measure based on the percent of progress made in implementation. The authors categorize these stages as Planned, Purchased not implemented, Implementing, and Production.

How do SIEM and SOAR stack up?

The authors use a grade point average (GPA) system to rank security technologies and categorize them by whether or not they are actively in Production (deployed) or Planned. SIEM is ranked as one of the highest (7th out of 45) in the Production category and has the second highest GPA. SOAR is ranked highly in the Planned category (4th out of 45) and has a low GPA, which in my view indicates a correlation between deployment/implementation progress, the duration of time a technology has been available in the market, and GPA rankings. 

People + Capabilities (Process) + Technology


Tying the pieces together

Monitoring is a great use case to think about combining people, capabilities (process), and technology. When the respondents were asked “what is included in your security monitoring activities?” the top responses were detection of threats (86%), access and usage monitoring (83%), and protection of data (70%). And the assumption that most SOCs are operating 24 hours a day, every day is mostly validated by the response that only 17% of respondents indicated they do not operate 24x7.

SIEM and SOAR for event data correlation

Since multiple detection technologies are involved in the monitoring process, the authors asked respondents to answer their primary technology for event data correlation. SIEM is overwhelmingly used (47%) for data correlation and while SOAR was far behind in second place at 11%. The author predicts that more SOCs will shift this effort into SOAR, XDR and MDR in the future. 


Relationships between the SOC and IT

Respondents are asked, “What is your SOC’s relationship to your IT operations?” Over half of the responses were either a) that they work together on detection and response but aren’t technically integrated (28%) or b) they work together only when there are emergencies (23%). 


The SANS 2022 SOC Survey closes with interesting sections on investments, budgeting, and measurement so be sure to check out the full report in the link above. The survey is becoming increasingly useful for organizations that want to see how they stack up against their peers and think about moving farther along the maturity scale. While I hope that future reports will analyze a larger dataset, I give credit and thanks to SANS authors Chris Crowley and Barbara Filkins for bringing more objective clarity to the challenges facing the world of security operations professionals. 

Splunk is fully committed to answering the call for helping our customer’s SOCs turn their security ‘data into doing’ in order to bring together their people, capabilities and technology. To learn more about the state of security, be sure to check out our latest report The State of Security 2022.

Dane Disimino
Posted by

Dane Disimino

Dane Disimino has worked in security operations marketing roles for nearly 10 years. Before becoming a Splunker, he was bringing security operations technologies to market with VMware, Siemplify (part of Google Cloud), Dell Secureworks and Optiv. He holds a master's degree in Chinese Political Economy from Xiamen University and a bachelor’s in Management from Pace University. Based in Colorado, when he isn’t at work, you’ll find him outdoors fly fishing and exploring our National Parks.